target=_blank exploit

When a website uses target='_blank' on their links in order to open a new tab or window, that website gives the new page access to the existing window through the window.opener API, allowing it a few permissions. Some of these permissions are automatically negated by cross-domain restrictions, but window.location is fair game.

Apparently, if you open a site with target="_blank", they can reach back and mess with your original window, including transfer you to a phishing website. This was just effectively demonstrated to me when I followed a link to this blog from my RSS reader. And it can be demonstrated for you too when you click the link above.

I had no idea this was possible. Why the fuck is this even a thing? What were the browser vendors thinking?

well, back when that API was created it was a more innocent time, developers hadn't realized exactly how much of an issue cybercrime would become. They sought only to create the ability to make more functional websites with interconnected tabs, because the idea of SPA had not become a thing (thank the goddess). These good intentions have now been warped and perverted to uses the developers never considered and would,. probably, be appalled to consider.

Interesting, it seems my Firefox settings or the NoRequestPolicyContinued plugin somehow intercepts this. It does raise a warning in a new tab though, asking me for permission as if to follow a redirect...

@anotherusername or just don't use target="_blank". It's 2016, mouses have middle buttons, the last browser that didn't support tabs is long dead, there's pretty much no point in using it anymore. If I want something opened in a new tab, I'll just open it in a new tab, thank you very much.

A lot of sites disable middle-click now. I really want to beat them with a spiky clue-bat. Especially my main online news site, middle-click no longer works and you have to left-click to open an almost full-page dialog that covers the original page with the article contents and closes if you accidentally click anywhere...

@Maciejasjmj no. Point blank no. The opposite in fact. I virtually always want links to open in new tabs, unless they're navigating within the same website I'm already on. If I want an external link to open in the current tab I'll drag it up to the location bar myself.

Okay, it looks like it's stripping out target="_blank" (which the original raw post also had, by the way), but for people who have settings that force links to open in new tabs, the behavior still takes place.

The opposite in fact. I virtually always want links to open in new tabs, unless they're navigating within the same website I'm already on.

Then click them with your middle mouse button. PROBLEM SOLVED!

It should be up to the user, really. You want all links in new tabs, I want all links in the same tab unless I explicitly state I want a new tab. Instead, with target=_blank, I have no option to open the link in the same tab other than dragging it to the address bar, and that's just a retarded way to work around it.

@Lorne-Kates it's called Javascript. It makes it possible to have web pages that do things other than text and images. On a modern browser, without core features turned off, some pages actually look different to this one:

target=_blank is helpful for javascript games (inb4 derision of the concept) where leaving the page means you lose game progress, at least for links that you are likely to misclick while playing the game.

@coderpatsy saving state in a cookie or in localStorage so the game can resume where it was interrupted is even more helpful for those games.

Seriously though, that's not a bad idea; in fact it's what I did in the HTML/JS games I wrote (Sudoku) or adapted (4096) to play in DropBox, because my iPhone is really quick to force quit an app I was just using because I opened a different app and it only has like 3 bytes of RAM.

Nice. Funny thing is, I opened this topic as a new tab (with a middle click) from the list of topics, then left-clicked the link (and my settings are to open links in new tabs): not only did it change this tab, but it also went back and changed the tab with the list of topics! (in addition to opening a new tab with the new page in it, of course)

Out of curiosity, what kind of information is passed around when opening a new tab that makes this possible?

It's vulnerable if the user's setting is to open links in new tabs by default. Which, granted, isn't the default setting, but it's common enough that it might be good to protect those users. Adding rel="noopener noreferrer" to external links shouldn't hurt anything, in any case.

If I want something opened in a new tab, I'll just open it in a new tab, thank you very much.

QFT. I’ve been slightly annoyed by sites that open links in new windows/tabs ever since that first started appearing — I can decide for myself which window/tab I want to view the linked site in, thank you very much. But at least it’s not a damned lightbox.

Nice. Funny thing is, I opened this topic as a new tab (with a middle click) from the list of topics, then left-clicked the link (and my settings are to open links in new tabs): not only did it change this tab, but it also went back and changed the tab with the list of topics! (in addition to opening a new tab with the new page in it, of course)

Out of curiosity, what kind of information is passed around when opening a new tab that makes this possible?

Don't give Nod too much credit. Much of the jellypotato behavior can be ascribed to the way it uses socket.io to broadcast messages. There is apparently some cross-talk between socket.io sessions that causes the wrong tabs to receive certain messages, or tabs to miss messages they should have received.

I don't know whether to blame socket.io or the way it's being used here.

@anotherusername or just don't use target="_blank". It's 2016, mouses have middle buttons, the last browser that didn't support tabs is long dead, there's pretty much no point in using it anymore. If I want something opened in a new tab, I'll just open it in a new tab, thank you very much.

Some people's bosses order them to set specific links to automatically open with target="_blank"

@Lorne-Kates that's a completely different question that doesn't apply to this situation at all. Simple javascript links don't override the right-click context menu. They just make some of the options in the right-click menu not work correctly.

My avatar started as a perversion of the default, but now it's no longer recognizable as such.
My previous avatar was a perversion of the CS default avatar (I added devil horns to the silhouette), which was the style at the time.